There's No Opting Out of the California Consumer Privacy Act - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Data Management
07:00 AM
Jung-Kyu McCann, General Counsel, Druva
Jung-Kyu McCann, General Counsel, Druva

There’s No Opting Out of the California Consumer Privacy Act

As the countdown to January continues, it's up to executive teams to ensure their companies are complying and preparing for what's coming.

Image: Pixabay
Image: Pixabay

There’s no question that 2020 will be another busy year for enterprises, and to kick it off, on January 1 thousands of businesses will be impacted by the California Consumer Privacy Act (CCPA), the most comprehensive U.S. data privacy law to date. While some organizations overhauled and up leveled their data governance to comply with GDPR, some businesses pushed off global compliance by sandboxing their European data to fit the GDPR compliance standards. While such band-aid fixes may have seemed like a good idea at the time, the introduction of CCPA leaves far fewer options outside of full compliance.

Now, as the countdown to January continues, and presidential candidates shine a national spotlight on the topic, it’s up to executive teams to ensure their companies are in compliance and prepared for what’s coming on the data privacy horizon.

How CCPA differs from GDPR

CCPA is commonly referred to as California's version of General Data Protection Regulation (GDPR), and while there are some similarities -- such as individual rights to request, access, and delete personal information -- CCPA and GDPR vary in many important details. 

  • For starters, GDPR applies to all European data but is a minimum requirement. Individual countries in the EU have their own laws that are often more restrictive. Alternatively, CCPA is applicable to California data only and excludes any data that is already covered by a federal law, such as HIPAA or GLBA.
  • While GDPR protects personal information (PI) that could potentially identify a specific individual -- including name, address, telephone number and Social Security number (SSN) -- CCPA goes beyond to include product purchase history, social media activity, IP addresses, and household information. 
  • Under CCPA, companies are required to include a single, clear and conspicuous "Do Not Sell My Personal Information" link on homepages. Alternatively, GDPR offers various opt-out rights, each of which requires individual action.  
  • Under GDPR, administrative fines can reach 20 million euros or 4% of annual global revenue, whichever is greatest. For CCPA, the California Attorney General can fine companies $2,500 per violation or up to $7,500 for each intentional violation. Note that every individual affected by a violation is counted as a violation, so an intentional breach of 100,000 people’s data could bring a total fine of $750M, plus damages of $1M to $7.5M to the victims. Businesses are granted a 30-day cure period for most violations, but CCPA and GDPR both provide for a private right of action in case of certain data breaches (i.e., an individual can sue the company directly). 

How to prepare

CCPA is only the beginning of data privacy regulations in the U.S. To prepare, here are few ways to ensure your organization is properly handling consumer data.

1. Audit how your company manages data

Determine how personal information – including categories outlined in the new definition – is collected, processed and stored. As data becomes more decentralized across mobile devices and apps, businesses need an information governance framework that establishes clear and structured policies for responsible data management. 

Schedule routine check-ins. Data mapping is not a one-time practice and should be part of daily vendor management and data audit practices. And always have appropriate documentation and audit records in case questions arise. 

2. Cross-functional collaboration is key

Constant monitoring of processes, data inventories, and vendors dealing with data requires a lot of work and often occurs across a variety of teams, meaning it requires support from technical teams, lawyers, and management. Additionally, given how CCPA expanded the definition of PI and states companies must identify all recipients (shared and sold) of collected PI, lead generation and other marketing practices must also be re-examined that may not have been previously reviewed. 

It is easy to put appropriate policies and processes in place – the challenge is enforcement. A highly functional team makes it that much easier to stay in compliance and rapidly respond to requests. 

3. Ensure technology is up to snuff

When there is an inquiry or request made regarding PI, an intuitive, comprehensive data management system can be critical to locating and eliminating data efficiently. And it should go without saying, but a strong security posture, including strengthening your network edge, hardening systems against potential intrusion and employing encryption technologies, is critical to deterring malicious actors. 

As January quickly approaches, every company should be taking time to review its data policies. The continuous news cycles around high-profile breaches, and a major election cycle will keep the discussion top of mind for millions of Americans. If your company has been putting off an overhaul of its approach to data management, now is the time to get serious. A little extra prep, and the right tools will save you and your organization a lot of long nights, and potentially millions of dollars, in the future.  

Jung-Kyu McCann brings more than 20 years of legal expertise to Druva, having represented public and private companies of all sizes. She joined Druva from Broadcom, where she served as Associate General Counsel, focusing on corporate matters and strategic transactions. Prior to Broadcom, she worked at Apple where she strengthened the company’s corporate governance framework and raised more than $100 billion in the global bond markets. She started her legal career at Shearman & Sterling and holds a leadership position at the Society for Corporate Governance. In 2017, she was recognized with the Rising Star award at the Corporate Governance Awards.

The InformationWeek community brings together IT practitioners and industry experts with IT advice, education, and opinions. We strive to highlight technology executives and subject matter experts and use their knowledge and experiences to help our audience of IT ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Why 2021 May Turn Out to be a Great Year for Tech Startups
John Edwards, Technology Journalist & Author,  2/24/2021
How GIS Data Can Help Fix Vaccine Distribution
Jessica Davis, Senior Editor, Enterprise Apps,  2/17/2021
11 Ways DevOps Is Evolving
Lisa Morgan, Freelance Writer,  2/18/2021
White Papers
Register for InformationWeek Newsletters
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll